Allow the singular constraint clause to list multiple addresses;

ok deraadt@

src/usr.sbin/ntpd/ntpd.conf.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: ntpd.conf.5,v 1.37 2017/08/10 22:59:42 job Exp $
+.\" $OpenBSD: ntpd.conf.5,v 1.38 2019/11/06 13:35:25 otto Exp $
 .\"
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 10 2017 $
+.Dd $Mdocdate: November 6 2019 $
 .Dt NTPD.CONF 5
 .Os
 .Sh NAME
@@ -193,9 +193,13 @@ Received NTP packets with time information falling outside of a range
 near the constraint will be discarded and such NTP servers
 will be marked as invalid.
 .Bl -tag -width Ds
-.It Ic constraint from Ar url
+.It Ic constraint from Ar url [ip...]
 Specify the URL, IP address or the hostname of an HTTPS server to
 provide a constraint.
+If the url is followed by one or more addresses the url and addresses will be
+tried until a working one is found.
+The url path and expected certificate name is always taken from the
+url specified.
 If
 .Ic constraint from
 is used more than once,
@@ -204,6 +208,7 @@ will calculate a median constraint from all the servers specified.
 .Bd -literal -offset indent
 server ntp.example.org
 constraint from www.example.com
+constraint from "https://9.9.9.9" "2620:fe::9"
 .Ed
 .It Ic constraints from Ar url
 As with

src/usr.sbin/ntpd/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.73 2019/07/16 14:15:40 otto Exp $ */
+/*	$OpenBSD: parse.y,v 1.74 2019/11/06 13:35:25 otto Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -88,7 +88,7 @@ typedef struct {
 %token	ERROR
 %token	<v.string>		STRING
 %token	<v.number>		NUMBER
-%type	<v.addr>		address url
+%type	<v.addr>		address url urllist
 %type	<v.opts>		listen_opts listen_opts_l listen_opt
 %type	<v.opts>		server_opts server_opts_l server_opt
 %type	<v.opts>		sensor_opts sensor_opts_l sensor_opt
@@ -272,7 +272,7 @@ main		: LISTEN ON address listen_opts	{
 			free($3->name);
 			free($3);
 		}
-		| CONSTRAINT FROM url		{
+		| CONSTRAINT FROM urllist		{
 			struct constraint	*p;
 			struct ntp_addr		*h, *next;
 
@@ -329,6 +329,36 @@ address		: STRING		{
 		}
 		;
 
+urllist		: urllist address {
+			struct ntp_addr *p, *q = NULL;
+			struct in_addr ina;
+			struct in6_addr in6a;
+
+			if (inet_pton(AF_INET, $2->name, &ina) != 1 &&
+			    inet_pton(AF_INET6, $2->name, &in6a) != 1) {
+				yyerror("url can only be followed by IP "
+				    "addresses");
+				free($2->name);
+				free($2);
+				YYERROR;
+			}
+			p = $2->a;
+			while (p != NULL) {
+				q = p;
+				p = p->next;
+			}
+			if (q != NULL) {
+				q->next = $1->a;
+				$1->a = $2->a;
+				free($2);
+			}
+			$$ = $1;
+		}
+		| url {
+			$$ = $1;
+		}
+		;
+
 url		: STRING		{
 			char	*hname, *path;